Join the Mozilla’s Test Days event from Dec 2–8 to test the new Firefox address bar on Firefox Beta 134 and get a chance to win Mozilla swag vouchers! 🎁

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Trojan Horse installed with firefox

  • 16 replies
  • 1 has this problem
  • 20 views
  • Last reply by Tonnes

more options

I installed Firefox 59.0.2 tonight, and was alerted that a Trojan Horse was installed with the crash installer app. ClamXav's Clam Sentry alerted me—and yes, the definitions are updated daily.

Link to installer: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg

Is this a new false-positive? Clam Sentry alerted it as a LIVE virus, so it wouldn't allow me to quarantine it—delete only.


I deleted everything, but pulled this from Console:

/Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.icns: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.ini: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/English.lproj/MainMenu.nib/classes.nib: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature/CodeResources: OK

Checking {

   MallocNanoZone = 0;

}

for pattern .*

/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 Checking {

   MallocNanoZone = 0;

}

for pattern .*

/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1

System: OS X 10.9.2

Full download and install of 59.0.2, not an update.

I installed Firefox 59.0.2 tonight, and was alerted that a Trojan Horse was installed with the crash installer app. ClamXav's Clam Sentry alerted me—and yes, the definitions are updated daily. Link to installer: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg Is this a new false-positive? Clam Sentry alerted it as a LIVE virus, so it wouldn't allow me to quarantine it—delete only. I deleted everything, but pulled this from Console: /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.icns: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/crashreporter.ini: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/Resources/English.lproj/MainMenu.nib/classes.nib: OK /Applications/Firefox.app/Contents/MacOS/crashreporter.app/Contents/_CodeSignature/CodeResources: OK Checking { MallocNanoZone = 0; } for pattern .* /Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 Checking { MallocNanoZone = 0; } for pattern .* /Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND Live Infections Found: 1 System: OS X 10.9.2 Full download and install of 59.0.2, not an update.

All Replies (16)

more options

Hi,

It's best to download Firefox from here :

https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)

more options

Sorry, to clarify, I downloaded FF from mozilla.org and the installer link I included earlier is the same as the one I got just now from the link you sent—thanks anyhow.

I think the page my download originated from was the page that has all of the latest versions of FF.

The resulting download is the same, though: https://download-installer.cdn.mozilla.net/pub/firefox/releases/59.0.2/mac/en-GB/Firefox%2059.0.2.dmg

more options

Downloads from the Mozilla CDN server should be fine.

You can verify the file by using the KEY and checksum file.

more options

VanessaKing said

I think the page my download originated from was the page that has all of the latest versions of FF.

So does this page :

https://www.mozilla.org/firefox/all/

I just thought I'd make it easier on you by selecting your language ......

more options

Thanks… No, it's another page, close but:

https://www.mozilla.org/en-US/firefox/releases/

more options

VanessaKing said

Thanks… No, it's another page, close but: https://www.mozilla.org/en-US/firefox/releases/

Nothing wrong with that page.

But if it would set your mind at ease, maybe you could uninstall the previously downloaded version and download from here :

https://www.mozilla.org/en-US/firefox/all/?q=English%20(British)

And/or maybe contact ClamXAV Sentry Support :

https://www.clamxav.com/support/

more options

I'm way ahead of you. I uninstalled it immediately after getting the alert and I've opened a ticket with ClamXav.

I'll update this when I hear back, thanks.

more options

Any update on this? Same issue only macOS 10.13.4 and Firefox 59.0.2. ClamXAV v2.18.1/0.100.0 (3610)

However, the machine I am on now with all of the above info has indicated nothing, but when I run the commands on it to detect the so called Flashback Trojan, I receive the following:

Mac-Pro:~ pil13$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment {

   MallocNanoZone = 0;

} Mac-Pro:~ pil13$

Do you know if this indicated another issue, or if this is common in Firefox?

I have contacted ClamXAV as well, but want to know why Firefox is showing this response, so I posted it here.

more options

When I download the .dmg file and submit it to VirusTotal it tests clean:

https://www.virustotal.com/#/file/642a87311a0f264a165c41a3599c681e7272c2dc43a3c1f71ea632223f9a5ad5/detection

However, I didn't extract it because I'm on Windows...

more options

Thanks Jefferson. Just an odd thing to show up after all these years and out of the blue. Still waiting for ClamXAV to comment.

more options

My bet is it’s a false positive, yet caused by one Firefox file as confirmed / suggested in this thread.

"This was caused by the Firefox developers leaving a setting enabled in one of the files embedded within the Firefox.app itself. [...] The developer has pushed out a fix via virus defs. Just update your virus definitions which will prevent the detection from recurring."

As you update your virus definitions daily, how about commenting in that thread?

Modified by Tonnes

more options

Thanks Tonnes, yes, updated every day.

more options

I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.

more options

VanessaKing said

I'm still waiting for more detail from ClamXav, too. The definitions should be the same—even if I am using an older version—but I asked them, to be sure, and am waiting to hear back.

HI,fyi : if you upload the file to https://www.virustotal.com/ it is scanned by 65 anti-virus engines including ClamAV You can also scan URL's as well it has a Search Feature.

more options

Hi Pkshadow.... Thanks for the tip. I will look into it.

more options

Fwiw and as said, it’s most likely a(nother) false positive by ClamXav probably not worth worrying about. Scan results from other sources as reported above as well as the Firefox installer being downloaded from the original and trusted (Mozilla) source should indicate that. Moreover, I find 5000+ results when searching for ClamXav and "false positive", so this issue doesn’t seem to be entirely new.

I do appreciate the TS wants to hear back from ClamXav of course, but IMO reports by any antivirus product or its vendor should never prevail just because it’s paid software. The same goes for issues when running with Firefox and such products - some users even refuse to disable their security software in order to do some proper troubleshooting, only because they paid for it. Not good.